Everything Leaks

2024-05-31

This post is the first in a series of posts.

  1. Everything Leaks
  2. Mission Unpossible
  3. What’s in YOUR threat model?
  4. Magic Pixie Dust
  5. Trust Me Bro

The use of the word "cyber" is hereby banned. Well, okay, just banned in this blog post.

I say that because I want to discourage you from thinking about security in the context of computers being hacked. Instead, I'd like to keep your focus at a higher level - thinking in terms of "information security", not limited to just “cyber”.

And to demonstrate why this is important, let's start with this statement: "Computers are just rocks that we tricked into thinking".

I like this statement because our computer processors and other components are made of semiconductors - which are primarily silicon. Silicon is the primary element in 90 percent of all rocks on Earth. Beach sand is almost entirely silicon! Our computers run on beach sand!

Okay, so let me show you a computer that is 100% hacker proof.
Dramatically holds up a 3 pound rock.

You can't hack this rock computer! It's not vulnerable to ransomware attacks, you can't exploit a buffer overflow attack. There's no XSS or SQL Injection attacks here folks! It can't save Personal Health Information (PHI), Personally Identifiable Information (PII), or Payment Card Information (PCI). It's the perfect unhackable computer! Dramatically puts rock down.

Dramatically stares at rock...

Oh, wait... my fingerprints are on it… Someone could lift my fingerprints (PII) off this rock! The rock leaks information. The rock computer is hackable!!!

Okay... I guess we'll just have to fix the rock’s source code then...or maybe update the firewall... Or maybe update its antivirus... or something...

Sounds silly, right?

I propose a statement: " Everything leaks information; there is nothing that does not."

Stop reading and ponder for a moment: Can anyone think of anything that does not leak information? Something that sucks in all information and doesn't let anything out? Give it a thought before continuing.

Did you think of anything? Many people might say: "What about Black Holes! Aha, now there is something that nothing can escape!"

Well, we know black holes exist, right? We can find where they are, we can see their influence on neighboring stars, we can measure their mass by how much they influence the space and celestial objects near them. We can learn information about them. Sure, light cannot escape the event horizon, but the effect of their gravity does. That is the information they leak. There is nothing that exists that does not leak some sort of information.

Alternatively, if there was something that leaked zero information about itself, something that was completely undetectable by any means and did not interact with anything in the universe in any way possible... Would it even physically exist?

The field of information security is about being cognizant of what information is being leaked in the systems that you are building or working with. The practice of information security is about identifying and managing risk by deploying appropriate countermeasures.

Let's start from the beginning - Information Security has always been important. The ancient Chinese philosopher and general Sun Tzu dedicated a whole chapter to it when he wrote the Art of War two and a half millennia ago. Chapter XIII is titled "The Use of Spies". And what are spies for? Information gathering!

One of our oldest encryption ciphers, the Ceasar Cipher, was allegedly used by Julias Caesar to protect messages of military importance 2,000 years ago.

Medieval kings used wax seals to protect sensitive information messages - if the wax seal was broken, that meant that someone had opened it.

I think we can all agree that wax seals on pieces of parchment aren't very good forms of information security, and the Ceasar Cipher is probably the worst form of encryption that there is! Never Ever use the Ceasar Cipher! There's more on good (and bad) encryption in my upcoming post: Magic Pixie Dust

But let's get back to information security, and let's skip forward a few thousand years. I’d like to briefly mention two things: (1) The Navajo Code Talkers and (2) The Enigma Machine. Both were methods of protecting communication during WWII.

The Navajo Code Talkers were Navajo Native Americans who essentially just spoke in their Native American languages over the radio. The Axis powers were able to hear the messages, but never able to break the code. Yikes! That’s a criminally over simplified summary, so hop on over to the CIA’s website for more accurate and detailed information.

The Enigma Machine was a mechanical device developed and used by the German's to encrypt Nazi messages. Enigma was eventually broken by the Allies, which is a story wonderfully told in the movie "The Imitation Game".

In the case of both the Navajo Code Talkers and the Enigma machine (and even in the case of Julis Ceasar), adversaries were able to see that messages were being sent -- but they had no way of knowing what those messages were or what they meant.

Which brings us to the CIA Triad. No, this is not the Central Intelligence Agency. The CIA Triad is an acronym for Confidentiality, Integrity, and Availability - 3 concepts that are fundamental to information security.

  1. Confidentiality refers to the secrecy of information
  2. Integrity refers to the correctness of information
  3. Availability refers to the accessibility of information

Confidentiality: Only authorized people and parties have access to specific information. You can protect the information in a lock box under lock and key, or you could transmit your information out for everyone to see and hear except that it's in encrypted format, or you could put policy and laws around it.

In 1889, the British Government passed the Official Secrets Act, which attempted to codify things a little. This required that Government Communications be categorized by degree of sensitivity - Such as Top Secret, Secret, Confidential, Restricted, Official, and Unclassified - and handled accordingly. Handled accordingly means that anyone can read unclassified material and Top Secret material can only be read by those with Top Secret permissions. Okay, so there's a law that says that Top Secret information can only be shared with people authorized to consume Top Secret information. There's a law that makes it illegal to share Top-Secret with non top secret people. We good, right? It's illegal, that means you can't do it - our information is 100% protected! Right? Right? Hint: No. But we can protect the confidentiality with encryption.

So let's say that we encrypt our information, and closely guard the encryption/decryption keys, now we're good, right? Not exactly.

Integrity: Let's say that you and I are communicating through the mail (snail mail, not email), and I send you an encrypted message that looks like BTSCFGGH34FG7H5G785HF and because you have our super-secret Orphan Annie Decoder Ring you know how to decipher it, but nobody else is able to figure out what it actually means. Is our communication secure?

What happens if someone intercepts that that piece of mail, carefully opens it, copies the letter and replaces a few random letters in the secret message, seals it back up, and sends it on to you? They won't know what the message means, you get it, and now it means something completely different. How do you verify the integrity of the message?

Alternatively, what if someone intercepts that piece of mail, photo copies the message, carefully seals it back up, sends it to you.... and then sends you photocopies of that same message every other day. The interceptor (attacker) may not know what the message says, but you think it's a legitimate message from me over and over. This is called a "replay attack". If that decrypted message says "Please deposit $100 in my account", you're going to keep doing that, potentially messing up our clandestine plans. If the interceptor/attacker is also monitoring our bank accounts, they can correlate this encrypted message with the bank transfers and deduce the encrypted information. That's information leakage!

We can protect the integrity of our information in a variety of ways, one of which is Message Authentication Codes (MAC). A MAC is additional information that is sent along with an encrypted message that confirms that the validity of said encrypted message. Maybe the MAC is a sum of all of the numbers in the encrypted message, or a count of all of the letters 'A'. That would hinder an interceptor's chance of changing characters randomly in the encrypted message. Maybe it includes an expiration date, which would mitigate replay attacks. Contemporary MACs are much more sophisticated in implementation, but the general idea is for the sender to send additional information along with the encrypted message to prove that the message was not messed with before it reached you.

Availability: So let's say that we encrypted out message for confidentiality, and we have used message authentication codes to protect integrity. Are we good yet? No, we are not. In the example so far, I am sending you a secret letter through the mail, and we assume there is a bad actor intercepting our mail and messing with it in order to foil our pinky-and-the-brain plans to take over the world. What is to stop this individual from intercepting our mail and simply tossing the letters in the rubbish bin to prevent them from getting to you? They don't have to understand the messages and they don't have to tinker with them in order to foil our plans. They only have to stop us from communicating. This is the "Availability" of the CIA triad.

Ensuring that your information is available can be a real challenge if you have a determined adversary. You could ask for an acknowledgement of receipt, but that acknowledgement of receipt will be subject to the same CIA Triad challenges that your original message had. You could hand deliver your message, but then why send it at all? You could use alternatives to the standard postal service, but will your adversary pick up on that? You could send armed guards along with the postal workers to protect your letter, but now we are are dipping our toes into the realm of physical security. But if you are replying on physical security, why use all of the cloak-and-dagger encryption and message authentication codes? If you send armed guards along with your letter, doesn't that send up red flags to say "Hey, everybody, there's something secret over here!". Yes, it does, and that is information leakage.

Everything leaks.

So, in conclusion - everything leaks information. You should not think in terms of "computers being hacked" or "is software computer more or less hacker proof?". You should hink in terms of managing your information. Which is where we will pick up in my next blog post: Why my Nana needs Department of Defense level security